Thursday, October 2, 2014

Powershell AD password (unique) reset and send email



Resetting passwords is a day to day task of helpdesk or IT team and it also plays crucial role in IT security, here I have written a script which can be used to reset password, unlocks it. The main thing about this script is Helpdesk/IT team is resetting password but not aware of the password. Every time they run script, it generates unique password and that can be sent to AD account owners Manager or Team Leader over email. It uses my earlier written script to generate unique random password.

On the machine you will be performing this test, must have RSAT (Remote server administration tools – AD DS tools, PowerShell Modules for AD) installed,
This is the primar, how run powershell ps1 script, Copy script content in notepad and save it on c:\temp location (you can use your own location), Rename extension to ps1.

You will need to make small modification in the script, and will have to mention “from” email ID (From this email ID managers will receive email) and “SmtpServer” (Email server) information, this one time.

Once everything is in place open Command Prompt (cmd), run as administrator.
When you run below command you are opening powershell within command prompt and executing script file, Also the execution policy is set to unrestricted so scripts will be executed.

Powershell –NoProfile –ExecutionPolicy unrestricted –File c:\temp\Reset-Account.ps1
ActiveDirectory module will get imported into powershell.


Type valid SAM AD account name (in case you are just hitting enter or wrong name it will prompt you for the same will not exit until you provide correct information, As it verifies with AD whether account is valid), next it will ask whom this email containing password should go. now ask TL to check email.

I hope this is informative and will help someone to implement AD password reset security.

 
 #####################################  
 ## http://kunaludapi.blogspot.com  
 ## Version: 1  
 ## Tested this script on successfully
 ##  1) Powershell v3  
 ##  2) Windows 2012  
 ##  
 #####################################
Begin {  
   Clear-Host  
   #Check for Active Directory module  
   if (-not (Import-Module activedirectory)) {  
     Import-Module activedirectory  
   }  
   
   #Generate Random Password  
   function Generate-Password {  
     $alphabets= "abcdefghijklmnopqstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()"  
     $char = for ($i = 0; $i -lt $alphabets.length; $i++) { $alphabets[$i] }  
   
     for ($i = 1; $i -le 9; $i++)  
     {  
       $CharArray += Write-Output $(get-random $char)  
       if ($i -eq 9) {} #write-output `n  
     }  
     $CharArray  
   }  
     
   #Get AD user account and validate it  
   do {   
     $SamAccountName = Read-Host "`nReset Password For AD Account"  
   
     if ($SamAccountName -eq "") {  
       Clear-Host  
       Write-Host -Object "`nPlease type AccountName`n" -BackgroundColor Red  
       continue  
     }  
     elseif ($(Get-ADUser -LDAPFilter "(sAMAccountName=$SamAccountName)").SamAccountName -eq $SamAccountName) {  
       $AccountToReset = Get-ADUser -LDAPFilter "(sAMAccountName=$SamAccountName)"  
         
       break  
     }  
     else {  
       Clear-Host  
       Write-Host -Object "`nTyped Account Name doesn't exists, Please try again`n" -BackgroundColor Red  
       $Everything_is_fine = $false   
     }  
   }  
   while ($SamAccountName -eq "" -or $Everything_is_fine -eq $false)  
     
   Write-Host "`nAccount has been verified and it exists`n" -ForegroundColor Green  
     
   $To = Read-Host "`nTL or Manager you want to send password to[Manager@example.com]"  
   #One Time Information fillup  
   $From = "donotreply@example.com"  
   $Subject = "Password reset request for user $SamAccountName"  
   $SmtpServer = "mail.example.com"  
   $port = 25  
 }  
   
 Process {  
   #Reset password and unlock it  
   $PlainText = Generate-Password  
   $Password = ConvertTo-SecureString -AsPlainText $PlainText -Force  
   $AccountToReset | Set-ADAccountPassword -Reset -NewPassword $Password  
   $AccountToReset | Unlock-ADAccount  
   Write-Warning "Password reseted and unlocked"  
   
   #Send Email  
   $Body = "$SamAccountName requested for New password and it is $PlainText"  
   Send-MailMessage -To $To -From $From -Subject $Subject -Body $Body -SmtpServer $SmtpServer -Port 25  
   Write-Host "Information emailed to Manager or TL" -ForegroundColor Cyan  
 }  
   
 End {  
   #Write-Host "New password is $PlainText"  
   Pause  
 }  
I am aware of System.Security.Cryptography.RNGCryptoServiceProvider for solid randomness. but wanted to build this script as a example only. Also this script compiling this to exe will help to more secure it. You can use this script and some more variations to it, example instead of sending an email, password can be sent to user over SMS. (for this User account properties should be have information).

Generate random password Powershell.
Post a Comment